Comments (14)
There is a project out there called Mistborn that is able to do that but it also includes a lot of other services and I found it a bit overkill for my needs. Wirehole would be damn near perfect that functionality.
from wirehole.
There is a project out there called Mistborn that is able to do that but it also includes a lot of other services and I found it a bit overkill for my needs. Wirehole would be damn near perfect that functionality.
OMG had no idea this even existed. Thanks for the tip! It may, in fact, have everything I need!
Actually, almost everything I want....no unbound...I'd rather be running a recursive DNS locally than have to rely on DoH/DNSCrypt - but it's definitely a start! Regardless, still LOVE wirehole, so if there's any way to configure it in such a way that we can pass WG clients to pihole in this config, that would be AMAZING.
from wirehole.
I've been looking into this.
The wireguard container uses masquerading to hide all client IPs so that requests look like they come from the wireguard container itself. You can see this in the wireguard container
root@xxxx# iptables -t nat -L -v -n | grep MASQUERADE
7766 499K MASQUERADE all -- * eth+ 0.0.0.0/0 0.0.0.0/0
This rule can be removed manually from within the wireguard container using:
iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The masquerade rule is added by the wireguard configuration in /config/wg0.conf - which seems to be generated from PostUp and PostDown clauses in wireguard/templates/server.conf . To make this change permanent would require removing the last iptables clauses from the template.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The other containers then need to know how to route traffic to 10.6.0.0/24. In the pihole container this can be configured manually, but I'm not sure how get this rule to stick when the container restarts.
ip route add 10.6.0.0/24 via 10.2.0.3
I dont know how to add the route to the unbound container. It doesn't seem to have networking tools. Perhaps someone can help here.
from wirehole.
A working setup:
- merge pihole into wirguard's network (
networks
,dns
) - have dnsmasq listening on all interfaces (as dns queries arrive from wg0)
pihole:
depends_on: [ unbound ]
container_name: pihole
image: pihole/pihole:latest
restart: unless-stopped
network_mode: "container:wireguard" # assign pihole to wirguard's network
hostname: pihole
environment:
TZ: "Etc/UTC"
FTLCONF_LOCAL_IPV4: 10.2.0.100 # Internal IP of pihole
PIHOLE_DNS_: 10.2.0.200 # Unbound IP
DNSMASQ_LISTENING: "all" #dnsmasq to listen on all interfaces
.
.
wireguard:
.
dns:
- 127.0.0.1
- 10.2.0.100 # Points to pihole
- 10.2.0.200 # Points to unbound
networks:
private_network:
ipv4_address: 10.2.0.100
aliases:
- pihole #optional
@IAmStoxe FYI
from wirehole.
There is a project out there called Mistborn that is able to do that but it also includes a lot of other services and I found it a bit overkill for my needs. Wirehole would be damn near perfect that functionality.
I just gave it a try but as you already mention its a to much for my needs.
Wirehole is perfect except the fact that I only see one client:
wireguard.wirehole_private_network
from wirehole.
OK.. I haven't had any experience with s6-overlay, so took me a little to work out how to hook into its initialisation routine to make the routing work after container restart. Its not a perfect setup - I dont really like having the network details in this scripting - but it is working now. With the above changes to the wireguard container (you might have to delete the wireguard/wg0.conf to ensure it gets re-created) I have wireguard client IP addresses showing up in the pi-hole ui.
I created a very simple shell script that adds the required route using the command I listed above pihole-wireguard-route.sh :
#!/bin/sh
ip route add 10.6.0.0/24 via 10.2.0.3
I then mounted this into the pihole container using the following volume mounts in the docker-compose.yaml file
volumes:
- "./etc-pihole/:/etc/pihole/"
- "./etc-dnsmasq.d/:/etc/dnsmasq.d/"
- "./pihole-wireguard-route.sh:/etc/cont-init.d/10-pihole-wireguard-route.sh"
from wirehole.
I've been looking into this. The wireguard container uses masquerading to hide all client IPs so that requests look like they come from the wireguard container itself. You can see this in the wireguard container
root@xxxx# iptables -t nat -L -v -n | grep MASQUERADE 7766 499K MASQUERADE all -- * eth+ 0.0.0.0/0 0.0.0.0/0
This rule can be removed manually from within the wireguard container using:
iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The masquerade rule is added by the wireguard configuration in /config/wg0.conf - which seems to be generated from PostUp and PostDown clauses in wireguard/templates/server.conf . To make this change permanent would require removing the last iptables clauses from the template.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The other containers then need to know how to route traffic to 10.6.0.0/24. In the pihole container this can be configured manually, but I'm not sure how get this rule to stick when the container restarts.
ip route add 10.6.0.0/24 via 10.2.0.3
I dont know how to add the route to the unbound container. It doesn't seem to have networking tools. Perhaps someone can help here.
I followed this instruction and now my pi hole is able to identify wg IP and filter the request. But my clients don't receive any of the filter result (infinite loading on client), even though I'm able to ping clients' wg IP from the pi hole container, and I'm able to ping the pi hole container from my client. Any suggestions?
edit: In pi hole container, tcpdump confirms that icmp packets is able to go to wg client, but other packets can't. This is getting weirder
edit 2: found it. change PostUp masquerade to
iptables -t nat -A POSTROUTING ! -d ${module.exports.DOCKER_SUBNET} -o eth+ -j MASQUERADE;
where docker subnet is the network that the container used. Other PostUp stay the same
from wirehole.
There is a project out there called Mistborn that is able to do that but it also includes a lot of other services and I found it a bit overkill for my needs. Wirehole would be damn near perfect that functionality.
OMG had no idea this even existed. Thanks for the tip! It may, in fact, have everything I need!
from wirehole.
Wirehole is perfect except the fact that I only see one client: wireguard.wirehole_private_network
This doesn't fit to #23 (comment) or do I understand it totally wrong?
from wirehole.
OK.. I haven't had any experience with s6-overlay, so took me a little to work out how to hook into its initialisation routine to make the routing work after container restart. Its not a perfect setup - I dont really like having the network details in this scripting - but it is working now. With the above changes to the wireguard container (you might have to delete the wireguard/wg0.conf to ensure it gets re-created) I have wireguard client IP addresses showing up in the pi-hole ui.
I created a very simple shell script that adds the required route using the command I listed above pihole-wireguard-route.sh :
#!/bin/sh ip route add 10.6.0.0/24 via 10.2.0.3
I then mounted this into the pihole container using the following volume mounts in the docker-compose.yaml file
volumes: - "./etc-pihole/:/etc/pihole/" - "./etc-dnsmasq.d/:/etc/dnsmasq.d/" - "./pihole-wireguard-route.sh:/etc/cont-init.d/10-pihole-wireguard-route.sh"
I tried this and while my client IPs started appearing on PiHole, I lost my internet connection. I wonder what I did wrong.
from wirehole.
Yah. I'm just using my setup for DNS. Not as a general VPN. You would need a different setup to also use the VPN for internet access. I'm not exactly sure how to configure it that way.
from wirehole.
Is there already an idea for a solution to see the single clients in the PiHole e.g. via another route config ?
from wirehole.
I've been looking into this. The wireguard container uses masquerading to hide all client IPs so that requests look like they come from the wireguard container itself. You can see this in the wireguard container
root@xxxx# iptables -t nat -L -v -n | grep MASQUERADE 7766 499K MASQUERADE all -- * eth+ 0.0.0.0/0 0.0.0.0/0
This rule can be removed manually from within the wireguard container using:
iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The masquerade rule is added by the wireguard configuration in /config/wg0.conf - which seems to be generated from PostUp and PostDown clauses in wireguard/templates/server.conf . To make this change permanent would require removing the last iptables clauses from the template.
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth+ -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
The other containers then need to know how to route traffic to 10.6.0.0/24. In the pihole container this can be configured manually, but I'm not sure how get this rule to stick when the container restarts.
ip route add 10.6.0.0/24 via 10.2.0.3
I dont know how to add the route to the unbound container. It doesn't seem to have networking tools. Perhaps someone can help here.
I followed this instruction and now my pi hole is able to identify wg IP and filter the request. But my clients don't receive any of the filter result (infinite loading on client), even though I'm able to ping clients' wg IP from the pi hole container, and I'm able to ping the pi hole container from my client. Any suggestions?
edit: In pi hole container, tcpdump confirms that icmp packets is able to go to wg client, but other packets can't. This is getting weirder
edit 2: found it. change PostUp masquerade to
iptables -t nat -A POSTROUTING ! -d ${module.exports.DOCKER_SUBNET} -o eth+ -j MASQUERADE;
where docker subnet is the network that the container used. Other PostUp stay the same
Thank you both guys so much! After so many hours I was able to make it work with your advice, I am very grateful. You are awesome!!
from wirehole.
This is something 🔥🔥, i was facing this issue with my wg-easy + adguard home, where I need to see my client address, and this just help. If someone else is facing this problem, in the wg-easy compose, just add:
environment:
*
- WG_POST_UP=iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o
%i -j ACCEPT;iptables -t nat -A POSTROUTING ! -d {wg-easy subnet} -o eth+
-j MASQUERADE
- WG_POST_DOWN=iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o
%i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth+ -j MASQUERADE
from wirehole.
Related Issues (20)
- chown: cannot access / so-rcvbuf 1048576 HOT 5
- unable to install script on fresh install HOT 3
- fresh install and old installs with fresh updates becomes not working HOT 5
- script: command not found HOT 2
- Unbound Broken HOT 6
- Update Gravity appears "DNS resolution is currently unavailable", please advise
- how to configure Pi-hole to recognize each peer as a separate client? HOT 1
- License to be OSI-compatible HOT 1
- Breaking change in Wireguard image HOT 3
- Recent changes don't work HOT 6
- No Wireguard folders and files HOT 2
- Failed to Register Layer
- Vpn2
- What is the Apply Config
- Add features; Warp as client and wirehole as server
- Can't connect with anything after spinning up new version of Wirehole HOT 2
- [Question] is it ready to use "out of the box" ? HOT 1
- Wireguard UI unreachable when used with network_mode: service:wireguard
- Add git version tags for reproducable git clones
- Cannot create a working peer and a peer with large subnet.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from wirehole.